169 matches found
CVE-2022-31172 OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to...
CVE-2022-31172 OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to...
CVE-2022-31172 OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers
OpenZeppelin Contracts is a library for smart contract development. Versions 4.1.0 until 4.7.1 are vulnerable to the SignatureChecker reverting. SignatureChecker.isValidSignatureNow is not expected to revert. However, an incorrect assumption about Solidity 0.8's abi.decode allows some cases to...
PT-2022-20584 · Openzeppelin · Openzeppelin Contracts
Name of the Vulnerable Software and Affected Versions: OpenZeppelin Contracts versions 4.0.0 through 4.7.1 Description: The issue concerns the ERC165Checker in OpenZeppelin Contracts, which may revert instead of returning false under certain conditions. Specifically, this occurs when a target...
PYSEC-2022-43143
OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts vanilla and ethereum flavors in the...
CVE-2022-31153 OpenZeppelin Contracts for Cairo account cannot process transactions on Goerli
OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts vanilla and ethereum flavors in the...
CVE-2022-31153 OpenZeppelin Contracts for Cairo account cannot process transactions on Goerli
OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts vanilla and ethereum flavors in the...
Update initializer modifier to prevent reentrancy during initialization
Lines of code Vulnerability details Impact The solution uses: "@openzeppelin/contracts": "^4.0.0", "@openzeppelin/contracts-upgradeable": "^4.3.2", These dependencies have a known high severity vulnerability: Which makes these contracts vulnerable: contracts/helpers/CryptoPunksHelper.sol: 19:...
[WP-H0] Wrong implementation of EIP712MetaTransaction
Lines of code Vulnerability details 1. EIP712MetaTransaction is a utils contract that intended to be inherited by concrete actual contracts, therefore. it's initializer function should not use the initializer modifier, instead, it should use onlyInitializing modifier. See the implementation of...
Privilege Escalation
openzeppelin/contracts is vulnerable to privilege escalation. The vulnerability exists due to the lack of sanitization in the initializer function which allowed an actor with executor role to escalate privileges...
Safe transfers are vulnerable to EOA calls
Handle 0x1f8b Vulnerability details Impact Safe erc20 calls are prone to EOA calls and human errors. Proof of Concept Recently there was one of the biggest hacks in crypto, 80m$ was lost. One of the root causes of the vulnerability was the fact that tokenAddress.safeTransferFrom does not revert...
4337-snap (>=0.1.0 <=0.1.1), @1inch/limit-order-protocol-contract (>=4.0.0 <=4.3.3) +223 more potentially affected by unknown CVE via @openzeppelin/contracts (>=4.3.0 <=4.4.1)
@openzeppelin/contracts NPM version =4.3.0, =0.1.0, =4.0.0, =4.0.1, =2.0.0, =0.1.0, =0.9.5, =1.0.0, =2.0.9, =0.0.1, =0.0.1, =1.0.0, =0.0.28, =0.4.1, =0.7.5 - @biconomy-devx/paymasters =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-M6W8-FQ7V-PH4M...
0x-hunter-core (>=1.0.0-33 <=1.0.0-38), 1155-to-20 (>=1.0.0 <=1.0.2) +2709 more potentially affected by CVE-2021-46320 +1 more via @openzeppelin/contracts (>=3.2.0 <=4.4.0)
@openzeppelin/contracts NPM version =3.2.0, =1.0.0-33, =1.0.0, =0.1.0, =1.0.0, =1.0.0, =1.9.1, =3.24.7, =1.7.2, =3.10.3, =0.0.2, =1.4.1, =1.0.0, =1.12.0 - @0xkkkkkkkkkkkkkkk/dodo =2.0.1 and more Source cves: CVE-2021-46320, CVE-2022-39384 Source advisory: OSV:GHSA-9C22-PWXW-P6HX...
Usage of an incorrect version of ERC20Permit contract can give unknown token with 0 decimals after upgrade.
Handle Jujic Vulnerability details Impact Based on the context and comments in the code, the Malt.sol contract is designed to be deployed as an upgradeable proxy contract. In Solidity, code that is inside a constructor or part of a global variable declaration is not part of a deployed contract’s...
ERC1155Supply vulnerability in OpenZeppelin Contracts
Handle defsec Vulnerability details Impact When ERC1155 tokens are minted, a callback is invoked on the receiver of those tokens, as required by the spec. When including the ERC1155Supply extension, total supply is not updated until after the callback, thus during the callback the reported total...
@avalabs/avalanche-wallet-sdk (>=0.9.5 <=0.10.2), @b0dhidharma/contract-utils (=0.1.1) +66 more potentially affected by unknown CVE via @openzeppelin/contracts (>=4.2.0 <=4.3.2)
@openzeppelin/contracts NPM version =4.2.0, =0.9.5, =0.0.2, =0.0.1, =0.0.1, =1.0.0, =0.0.1, =1.1.0, =0.0.1, =3.0.0-alpha.2, =3.0.0-alpha.1, =3.0.0-alpha.1, =3.0.0-alpha.1, =3.0.0-alpha.4 and more Source cves: unknown CVE Source advisory: OSV:GHSA-WMPV-C2JP-J2XG...
Privilege Escalation
openzeppelin-contracts is vulnerable to privilege escalation. Remote attackers are able to exploit vulnerable upgradeTo and upgradeToAndCall functions in UUPSUpgradeable component due to uninitialized implementation contracts...
CVE-2021-41264
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and...
CVE-2021-41264
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and...
Design/Logic Flaw
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of @openzeppelin/contracts and...